In number theory, the general number field sieve (GNFS) is the most efficient classical algorithm known for factoring integers larger than 10¹⁰⁰. Heuristically, its complexity for factoring an integer n (consisting of ⌊log₂ n⌋ + 1 bits) is of the form

in O and L-notations. It is a generalization of the special number field sieve: while the latter can only factor numbers of a certain special form, the general number field sieve can factor any number apart from prime powers (which are trivial to factor by taking roots).

The principle of the number field sieve (both special and general) can be understood as an improvement to the simpler rational sieve or quadratic sieve. When using such algorithms to factor a large number n, it is necessary to search for smooth numbers (i.e. numbers with small prime factors) of order n^1/2. The size of these values is exponential in the size of n (see below). The general number field sieve, on the other hand, manages to search for smooth numbers that are subexponential in the size of n. Since these numbers are smaller, they are more likely to be smooth than the numbers inspected in previous algorithms. This is the key to the efficiency of the number field sieve. In order to achieve this speed-up, the number field sieve has to perform computations and factorizations in number fields. This results in many rather complicated aspects of the algorithm, as compared to the simpler rational sieve.

The size of the input to the algorithm is log₂ n or the number of bits in the binary representation of n. Any element of the order n^c for a constant c is exponential in log n. The running time of the number field sieve is super-polynomial but sub-exponential in the size of the input.

Suppose f is a k-degree polynomial over ${\textstyle \mathbb {Q} }$ (the rational numbers), and r is a complex root of f. Then, f(r) = 0, which can be rearranged to express r^k as a linear combination of powers of r less than k. This equation can be used to reduce away any powers of r with exponent e ≥ k. For example, if f(x) = x² + 1 and r is the imaginary unit i, then i² + 1 = 0, or i² = −1. This allows us to define the complex product:

In general, this leads directly to the algebraic number field ${\textstyle \mathbb {Q} [r]}$, which can be defined as the set of complex numbers given by:

The product of any two such values can be computed by taking the product as polynomials, then reducing any powers of r with exponent e ≥ k as described above, yielding a value in the same form. To ensure that this field is actually k-dimensional and does not collapse to an even smaller field, it is sufficient that f is an irreducible polynomial over the rationals. Similarly, one may define the ring of integers ${\textstyle \mathbb {O} _{\mathbb {Q} [r]}}$ as the subset of ${\textstyle \mathbb {Q} [r]}$ which are roots of monic polynomials with integer coefficients. In some cases, this ring of integers is equivalent to the ring ${\textstyle \mathbb {Z} [r]}$. However, there are many exceptions.

Two polynomials f(x) and g(x) of small degrees d and e are chosen, which have integer coefficients, which are irreducible over the rationals, and which, when interpreted mod n, have a common integer root m. An optimal strategy for choosing these polynomials is not known; one simple method is to obtain f from the base-m expansion of n for an appropriate choice of m. More precisely: for any choice of m, writing n in base m is, by definition, finding digits ${\textstyle a_{0},a_{1},\ldots ,a_{d}}$ where ${\textstyle 0\leq a_{i}<m}$ for each i, such that